This article describes features that are part of the Advanced Security Add-on for Support Enterprise.

Note: Guide plans are covered by the Advanced Security Add-on regardless of plan level. This means that if you have Support Enterprise, the Advanced Security Add-on, and a Guide plan (Guide Lite, Professional, or Enterprise), your Guide plan is covered by the add-on.

Enhanced disaster recovery

Zendesk Support performs daily backups of customers’ Service Data to provide basic disaster recovery. Customers can also have real-time data replication as well as dedicated capacity and failover to a different data center in a secondary region in the event of a disaster.

All customers are assigned to a specific POD in one of our data centers. Customers with the Enhanced DR feature are also assigned a secondary (warm) POD which contains a real-time replication of their Service Data and dedicated redundant capacity. The primary and secondary PODs are located in two separate geographically diverse data centers. In the event of a significant disaster, this allows Zendesk Support to failover from the primary POD to the secondary POD more seamlessly.

To break this down a little further, here are some additional details:

In addition to our standard data backup practices, the extra layer of real-time replication in a secondary location lessens the chance of any Service Data loss as the result of a significant disaster. Because of this real-time replication we are able to maintain a targeted Recovery Point Objective (RPO) of 0 hours from the point of impact.

The secondary POD has a full application stack and dedicated redundant capacity in place. This combined with the Service Data being readily available allows for a straight forward failover from the primary POD within a short number of hours. For customers with the Enhanced DR feature there is a targeted Recovery Time Objective (RTO) of 8 hours, after a declaration of a disaster.

We have extensively tested both our US and EU Enhanced DR functionality. These exercises consisted of a full failover from each data center to its secondary site and a rollback to its original state. Each quarter we perform an exercise that touches either our US or EU Enhanced DR. The scenarios for these exercises vary and include different elements of our business continuity and disaster recovery plans.

Our business continuity and disaster recovery plan and associated technical runbooks are detailed and have been vetted through each DR exercise.

It applies to providers of health care, health plans, and health care clearinghouse services. These providers are required to handle patient personal health information (PHI/ePHI) in a way that meets defined security standards. When providers (known as covered entities) use third-party vendors or services (business associates) where personal health information might be stored, those business associates need to adhere to the standards as well. This agreement is contractually defined in a Business Associate Agreement (BAA).

Zendesk helps customers fulfill their HIPAA obligations by providing these covered entities or business associates with appropriate security configuration options to help safeguard protected health information (PHI) which may exist within Service Data from misuse and wrongful disclosure. Please note Zendesk is limited to the status of a business associate. Moreover, Zendesk is not a holder of the ‘Designated Record Set’. The HIPAA requirements for a business associate are met through Zendesk's SOC2 and ISO27001/ISO27018 certifications and internal HIPAA audits. For more information on HIPAA please see below or email security if you would like more information regarding the specifics of Zendesk's HIPAA program.

Note that Zendesk's BAA only covers the following products (special configurations apply). Any other Zendesk products or third party services (including integrations or applications) cannot be HIPAA-enabled.

Support Enterprise

Support Elite

Chat Enterprise

Talk Enterprise

Talk Professional

Legacy Talk Advanced

Insights

Guide Lite

Guide Professional

Guide Enterprise

Explore Lite

Explore Professional

To review our security configuration requirements for HIPAA Enabled Accounts, please visit https://help.zendesk.com/hc/en-us/articles/360001499747 (note that our security configurations may change from time to time due to changes in law and regulation and changes to the Zendesk Service, so it is always advised to ‘follow’ this article to be apprised of any changes). For further security information, please contact security@zendesk.com. Please contact your Zendesk account executive if you would like to request the BAA or have any questions on how to set up a HIPAA-enabled account.

Exceptions to the Advanced Security Offering

The advanced security features detailed above may not apply to the following services:

Zendesk Net Promoter Score (NPS) Surveys

Zendesk Insights (note, however, that Insights can be HIPAA-enabled per the Zendesk BAA and required security configurations)

Other services managed and hosted by third parties and the data you enter into these other services, as defined in our Master Subscription Agreement

Click here to learn more about security for Zendesk Talk and Insights. For the other services listed above click here to learn more about Zendesk security.

Is there a possibility this pricing can be reduced to a more reasonable level - we need HIPAA compliance but not 50 agents, and given this level of pricing, we are probably likely to use Atlassian ServiceDesk instead, which has a much better pricing model.

We finally get the BAA we've been requesting for years, but only if you spend a fortune for the Enterprise level service? I'm very disappointed. Zendesk will be an outlier in this field. Is there truly such a premium for HIPAA compliance?

There are many small healthcare startups that are starving for HIPAA-compliant integrations, but there's no way we'd need 50 agents or could afford $2000/month. Please know that it's not just giant hospital systems and insurers that need this functionality - help us little guys, too.

Amazon Web Services, Dropbox, and more now offer this as part of their services. I encourage you folks to take a look at the market and reconsidered your current product offering and associated costs. There are a ton of SMBs and small medical providers who need to protect ePHI and receive BAAs from their vendors.

Agreed, definitely still too high. And requiring the enterprise plan. There are users that are not on the enterprise plan that would love to have these features at a reasonable cost. This is not reasonable.

Just to clarify that Enterprise is a type of plan, not a Zendesk product. And, at the present moment, the advanced security feature mentioned in this article is only available as an Add-on for Enterprise accounts/planners.

You are correct and you must be on Support Enterprise and purchase the Advanced Security add-on to have your data encrypted. If this is something you're interested in and wish to hear more about pricing, I would encourage you to reach out to your Account Executive so they can assist further :)

Let me know if you're not sure who your AE is and I can generate a ticket on your behalf.